14 August 2018 14:53:29

Starting with iOS 11.3 in the spring of this year Apple already created the possibility to control which third party apps (keyword: WhatsApp) can access the managed company contacts of the ActiveSync account via MDM restrictions. This was done via the Managed OpenIn restrictions. These can be used to control whether an unmanaged app can access the content of a managed app or account.

See also my blog post: ios-11.3-update-regarding-contact-containisation.htm

Apple released an updated Configuration Profiles documentation yesterday, which contains two new restrictions, among other iOS 12 extensions, that allows additional control to access contacts, when Managed OpenIn restrictions are being set to false.

allowManagedToWrite UnmanagedContacts

Optional. If set to true, managed apps can write contacts to unmanaged contacts accounts.

Defaults to false.

If allowOpenFromManagedToUnmanaged is true, this restriction has no effect. A payload that sets this to true must be installed via MDM Availability: Available only in iOS 12.0 and later.

allowUnmanagedToRead ManagedContacts

Optional. Supervised only. If set to true, unmanaged apps can read from managed contacts accounts.

Defaults to false.

If allowOpenFromManagedToUnmanaged is true, this restriction has no effect. A payload that sets this to true must be installed via MDM. Availability: Available only in iOS 12.0 and later.

Due to the change in the underlying ACME protocol, Let’s Encrypt needs to re-validate the HTTP challenge on certificate renewal. To do this, the challenge token must be accessible on the Domino server on port 80.

If you only have port 443 enabled or forward port 80 to 443, then the challenge will fail and you will see the error message.

Just for clarification. Port 80 is only needed for the first time challenge validation after the upgrade to LE4D v2.0. It is also needed, when you change the configuration and add a new host to the existing list of hostnames.

After the challenge has been validated, you can close port 80 again. It is not needed for certificate renewal.

28 März 2018 18:07:34

We are pleased to announce today the new version 2.0 of Let's Encrypt 4 Domino aka LE4D

Important:

If you are already using LE4D, be sure to update to the new version 2.0. Starting March, 16th, the renewal of certificates generated with version 1.0 is longer possible due to a changes Let's Encrypt made to their CA-API-infrastructure. What is new in LE4D 2.0

LE4D 2.0 uses the ACME v2 protocol, based on Java 8, and is supported on Domino 9.0.1 FP8 + on Windows & Linux. The complete code is now contained in a single Java agent. The internal communication between the agent and the XPage in LE4D 1.0, which controlled the certificate generation and renewal, is therefore eliminated.

The support for wildcard certificates is not included in this version, but will be available in the next few weeks. How to upgrade to LE4D 2.0

Already existing LE4D users should already received an email from me with the new version.

To upgrade an existing installation simply replace the design of your LE4D application with the new template. You can delete the data in the LE4D workdir. The data does no longer work with the new ACME v2 protocol.

LE4D has been tested on Domino 9.0.1 FP8, FP9 and FP10 on both, Windows and Linux. There are no known issues.

For further information on how to do a first time setup refer to the documentation. The documentation is part of the zip package.

I made an additional blog post regarding possible issues and how to solve them: midpoints LE4D 2.0 Some Hints

If you have any feedback or suggestion, pls. let us know. Let' Encrypt !

20 März 2018 14:27:27

Facebook is using us. It is actively giving away our information. It is creating an echo chamber in the name of connection. It surfaces the divisive and destroys the real reason we began using social media in the first place – human connection.

I have had a Facebook account since 2009, but I never used it much. I never used WhatsApp. I have always been sceptical about the company Facebook and did not want to let a company like Facebook participate in my business and especially my private life. Facebook (Facebook, Messenger, Instagram and WhatsApp) lives off the data and sells the data that I and my "friends" feed it with.

Facebook probably knows more about each user than any other service, agency or organization. Probably more about the user himself than close real persons. Facebook knows your habits, where you live, your social environment, with whom you communicate how often, what you like, which websites you visit,...

If you still think after the current events, what is Facebook supposed to do with my last holiday selfie, is naive. Facebook actively uses the data and passes it on to third parties. What can be done with this data is being drastically demonstrated to us.

Today I made the long overdue decision for myself to delete the content as much as I can, clean up my profile and put the account into sleep mode. You can still find me there, but I will no longer actively "play" there.

13 März 2018 18:32:57

We’re pleased to announce that ACMEv2 and wildcard certificate support is live! With today’s new features we’re continuing to break down barriers for HTTPS adoption across the Web by making it even easier for every website to get and manage certificates.

Wildcard certificates allow you to secure all subdomains of a domain with a single certificate. Wildcard certificates can make certificate management easier in some cases, and we want to address those cases in order to help get the Web to 100% HTTPS. We still recommend non-wildcard certificates for most use cases.

Wildcard certificates are only available via ACMEv2. In order to use ACMEv2 for wildcard or non-wildcard certificates you’ll need a client that has been updated to support ACMEv2. It is our intent to transition all clients and subscribers to ACMEv2, though we have not set an end-of-life date for our ACMEv1 API yet. Additionally, wildcard domains must be validated using the DNS-01 challenge type. This means that you’ll need to modify DNS TXT records in order to demonstrate control over a domain for the purpose of obtaining a wildcard certificate.

The plan is to release midpoints Let's Encrypt 4 Domino v2 in the next few weeks, after we will have finished some final tests.

So yes - LE4D v2 will support wildcard certificates!

But you should have one already in mind. To use wildcard certificates - ACMEv2 will do the validation using a DNS-01 challenge. That will require to add a DNS TXT record to your public DNS zone. A fully automatic solution will not work with all used DNS servers.

But we will explain this in more detail, when we will release LE4D v2. Stay tuned

7 März 2018 22:53:07

Today IBM released a new Traveler version called 9.0.1.21 (Build: 9.0.1.21 201803022309_20).

IBM Traveler 9.0.1.21 is a maintenance release that provides APAR fixes for the IBM Traveler server. IBM Traveler 9.0.1.21 includes a database schema update for MS SQL Server deployments. It is only necessary to run verifyIndexes.sql to update the schema to latest level. Otherwise no action is required unless upgrading from a version prior to 9.0.1.16. If you use auto schema updates (default behavior) there is no action required. Fixlist:

5 März 2018 17:54:11

Last month I published a blog post regarding the new iOS 11.3 Enterprise features. I received a few questions regarding the Contact Containerization:

Second new feature: Contact Containerization

Prevent contacts in managed accounts, like your IBM Traveler mail account, from being used in unmanaged apps like WhatsApp or other accounts. Contacts now obey existing managed data restrictions.

That will be a huge improvement. Contacts will then finally be part of the managed / unmanaged definition and handling on the device. You can use the native Apple Mail, Calendar and Contacts app and the unmanaged WhatsApp App for example will not be able to get access to your synced contacts via your managed ActiveSync (Traveler or Exchange) account.

There is no new iOS 11.3 restriction for Contacts in the Configuration Documentation from Apple mentioned. But starting with iOS 11.3 the Contacts will be part of the already existing Managed-Open-In restriction. As a result you should already be able to test it by your own by using your existing MDM solution and a device already upgraded to iOS 11.3 Beta.

I made same tests this week with the current iOS 11.3 BETA and it works great. I did the tests with our own MDM solution mobile.profiler v7.0, which we released in October 2017.